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ABSTRACT. Local reasoning about programs exploits the natural local behaviour common in pro- 
grams by focussing on the footprint - that part of the resource accessed by the program. We address 
the problem of formally characterising and analysing the notion of footprint for abstract local func- 
tions introduced by Calcagno, O'Hearn and Yang. With our definition, we prove that the footprints 
are the only essential elements required for a complete specification of a local function. We formalise 
the notion of small specifications in local reasoning and show that, for well-founded resource mod- 
els, a smallest specification always exists that only includes the footprints. We also present results 
for the non-well-founded case. Finally, we use this theory of footprints to investigate the conditions 
under which the footprints correspond to the smallest safe states. We present a new model of RAM 
in which, unlike the standard model, the footprints of every program correspond to the smallest safe 
states. We also identify a general condition on the primitive commands of a programming language 
which guarantees this property for arbitrary models. 



Local reasoning about programs focusses on the collection of resources directly acted upon by 
the program. It has recently been introduced and used to substantial effect in local Hoare reasoning 
about memory update. Researchers previously used Hoare reasoning based on First-order Logic 
to specify how programs interacted with the whole memory. O'Hearn, Reynolds and Yang instead 
introduced local Hoare reasoning based on Separation Logic lfl4l[TTTl . The idea is to reason only 
about the local parts of the memory — the footprints — that are accessed by a program. Intuitively, 
the footprints form the pre-conditions of the small axioms, which provide the smallest complete 
specification of the program. All the true Hoare triples are derivable from the small axioms and the 
general Hoare rules. In particular, the frame rule extends the reasoning to properties about the rest 
of the heap which has not been changed by the command. 

O'Hearn, Reynolds and Yang originally introduced Separation Logic to solve the problem 
of how to reason about the mutation of data structures in memory. They have applied their rea- 
soning to several memory models, including heaps based on pointer arithmetic f!4l . heaps with 
permissions J4[, and the combination of heaps with variable stacks which views variables as re- 
source Bl fTTl . In each case, the basic soundness and completeness results for local Hoare reasoning 

1998 ACM Subject Classification: D.2.4 [Software/Program verification]: Correctness proofs, Formal methods, Vali- 
dation; F.3.1 [Specifying and Verifying and Reasoning about Programs]: Logics of programs. 
Key words and phrases: footprints, separation logic, local reasoning. 
* A Preliminary version of this paper appeared in the FOSSACS 2008 conference. 
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are essentially the same. For this reason, Calcagno, O'Hearn and Yang [9] recently introduced 
abstract local functions over abstract resource models which they call separation algebras. They 
generalised their specific examples of local imperative commands and memory models in this ab- 
stract framework. They introduced Abstract Separation Logic to provide local Hoare reasoning 
about such functions, and give general soundness and completeness results. 

We believe that the general concept of a local function is a fundamental step towards establish- 
ing the theoretical foundations of local reasoning, and Abstract Separation Logic is an important 
generalisation of the local Hoare reasoning systems now widely studied in the literature. However, 
Calcagno, O'Hearn and Yang do not characterise the footprints and small axioms in this general 
theory, which is a significant omission. O'Hearn, Reynolds and Yang, in one of their first papers on 
the subject |[T4l . state the local reasoning viewpoint as: 

'to understand how a program works, it should be possible for reasoning and speci- 
fication to be confined to the cells that the program actually accesses. The value of 
any other cell will automatically remain unchanged.' 
A complete understanding of the foundations of local Hoare reasoning therefore requires a formal 
characterisation of the footprint notion. O'Hearn tried to formalise footprints in his work on Sepa- 
ration Logic (personal communication with O'Hearn). His intuition was that the footprints should 
be the smallest states on which the program is safe - the safety footprint, and that the small axioms 
arising from these footprints should give rise to a complete specification using the general rules for 
local Hoare reasoning. However, Yang discovered that this notion of footprint does not work, since 
it does not always yield a complete specification for the program. Consider the program^ 

AD ::= x := newQ; dispose(x) 

This allocate-deallocate program allocates a new cell, stores its address value in the stack variable 
x, and then deallocates the cell. It is local because all its atomic constituents are local. This tiny 
example captures the essence of a common type of program; there are many programs which, for 
example, create a list, work on the list, and then destroy the list. 

The smallest heap on which the AD program is safe is the empty heap emp. The specification 
using this pre-condition is: 

{emp} AD {emp} (1-1) 

We can extend our reasoning to larger heaps by applying the frame rule: for example, extending to 
a one-cell heap with arbitrary address / and value v gives 

{/ i — ^ v} AD {I i-> v} (1.2) 

However, axiom (1) does not give the complete specification of the AD program. In fact, it captures 
very little of the spirit of allocation followed by de-allocation. For example, the following triple is 
also true: 

{l^>v} AD {l^vAx^l} (1.3) 

This triple (3) is true because, if / is already allocated, then the new address cannot be I and hence x 
cannot be I. It cannot be derived from (1). However, the combination of axiom (1) and axiom (3) for 
arbitrary one-cell heaps does provide the smallest complete specification. This example illustrates 
that O'Hearn's intuitive view of the footprints as the minimal safe states just does not work for 
common imperative programs. 



'Yang's example was the 'allocate-deallocate- test' program ADT ::= 'x := new();dispose(x); if (x=l) then z:=0 
else z:=l;x=0'. Our AD program provides a more standard example of program behaviour. 
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In this paper, we introduce the formal definition of the footprint of a local function that does 
yield a complete specification for the function. For our AD example, our definition identifies emp 
and the arbitrary one-cell heaps I h-> v as footprints, as expected. We prove the general result that, 
for any local function, the footprints are the only elements which are essential to specify completely 
the behaviour of this function. 

We then investigate the question of sufficiency. For well-founded resource, we show that the 
footprints are also always sufficient: that is, a complete specification always exists that only uses the 
footprints. We also explore results for the non-well-founded case, which depend on the presence 
of negativity. A resource has negativity if it is possible to combine two non-unit elements to get 
the unit, which is like taking two non-empty pieces of resource and joining them to get nothing. 
For non-well-founded models without negativity, such as heaps with infinitely divisible fractional 
permissions, either the footprints are sufficient (such as for the write command in the permissions 
model) or there is no smallest complete specification (such as for the read command in the permis- 
sions model). For models with negativity, such as the integers under addition, we show that there 
do exist smallest complete specifications based on elements that are not essential and hence not 
footprints. 

In the final section, we apply our theory of footprints to the issue of regaining the safety foot- 
prints. We address a question that arose from discussions with O'Hearn and Yang, which is whether 
there is an alternative model of RAM in which the safety footprint does correspond to the actual 
footprint, yielding complete specifications. We present such a model based on an examination of 
the cause of the AD problem in the original model. We prove that in this new model the footprint 
of every program, including AD, does correspond to the safety footprint. Moreover, we identify a 
general condition on the primitive commands of a programming language which ensures that this 
property holds in arbitrary models. 

A preliminary version of this paper was presented at the FOSSACS 2008 conference. The final 
section reports on work that is new to this journal version. This paper also contains the proofs which 
were excluded from the conference paper. 

2. Background 

The discussion in this paper is based on the framework introduced in |9], where the approach 
of local reasoning about programs with separation logic was generalised to local reasoning about 
local functions that act on an abstract model of resource. Our objective in this work is to investigate 
the notion of footprint in this abstract setting, and this section gives a description of the underlying 
framework. 

2.1. Separation Algebras and Local Functions. We begin by describing separation algebras, 
which provide a model of resource which generalises over the specific heap models used in sep- 
aration logic works. Informally, a separation algebra models resource as a set of elements that 
can be 'glued' together to create larger elements. The 'glueing' operator satisfies properties in 
accordance with this resource intuition, such as commutativity and associativity, as well as the can- 
cellation property which requires that, if we are given an element and a subelement, then 'ungluing' 
that subelement gives us a unique element. 

Definition 2.1 (Separation Algebra). A separation algebra is a cancellative, partial commutative 
monoid (£,•,«), where S is a set and • is a partial binary operator with unit u. The operator 
satisfies the familiar axioms of associativity, commutativity and unit, using a partial equality on £ 
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where either both sides are defined and equal, or both are undefined. It also satisfies the cancellative 
property stating that, for each a G E, the partial function a • (•) : E i— > S is injective. 

We shall sometimes overload notation, using E to denote the separation algebra (E, •, u). Ex- 
amples of separation algebras include multisets with union and unit 0, the natural numbers with 
addition and unit 0, heaps as finite partial functions from locations to values ( |9] and example 
12.81) . heaps with permissions HHU, and the combination of heaps and variable stacks enabling us to 
model programs with variables as local functions ( |9), ifTTl and example I2T81) . These examples all 
have an intuition of resource, with o\ • 02 intuitively giving more resource than just a\ and 02 for 
01 , 02 7^ u. However, notice that the general notion of a separation algebra also permits examples 
which may not have this resource intuition, such as {a, u} with a • a = u. Since our aim is to 
investigate general properties of local reasoning, our inclination is to impose minimal restrictions 
on what counts as resource and to work with a simple definition of a separation algebra. 

Definition 2.2 (Separateness and substate). Given a separation algebra (E, •, u), the separateness 
(#) relation between two states 00, o\ G E is given by 0o#0i iff 00 • o\ is defined. The substate 
(<) relation is given by ao < 01 iff 3c2- fi = Co • °2- We write ao -< o\ when do ^ o\ and 
o"o 7^ en- 
Lemma 2.3 (Subtraction). For 01,02 G E, zf o'i ^ 02 ?/ze?i f/jere ex/sfa a unique element denoted 

0~2 — &1 G E, 5MC/z (o"2 — <Tl) • 0"1 = 0"2- 

Proof. Existence follows by definition of For uniqueness, assume there exist a' , a" € S such 
that • o"i = o"2 and a" • a\ =02- Then we have a 1 • o~\ = a" • a\, and thus by the cancellation 
property we have a' = a". □ 

We consider functions on separation algebras that generalise imperative programs operating 
on heaps. Such programs can behave non-deterministically, and can also fault. To model non- 
determinism, we consider functions from a separation algebra S to its powerset 'P(S). To model 
faulting, we add a special top element T to the powerset. We therefore consider total functions of 
the form / : S -> P(S) T . On any element of E, the function can either map to a set of elements, 
which models safe execution with non-deterministic outcomes, or to T, which models a faulting 
execution. Mapping to the empty set represents divergence (non-termination). 

Definition 2.4. The standard subset relation on the powerset is extended to V(T,) T by defining 
p C T for all p G "P(S) T . The binary operator * on 7-*(S) T is given by 

P * q = {00 • "I I cr #a 1 A 00 G P A o-i G <?} if p,q€ V{T) 
= T otherwise 
V(T,) T is a total commutative monoid under * with unit {n}. 

Definition 2.5 (Function ordering). For functions f,g : E — > "P(E) T , / C 5 iff /(c) C 5(0-) for 
all o" G E. 

We shall only consider functions that are well-behaved in the sense that they act locally with 
respect to resource. For imperative commands on the heap model, the locality conditions were 
first characterised in |2TI . where a soundness proof for local reasoning with separation logic was 
demonstrated for the specific heap model. The conditions identified were 

• Safety monotonicity: if the command is safe on some heap, then it is safe on any larger heap. 

• Frame property: if the command is safe on some heap, then in any outcome of applying the 
command on a larger heap, the additional heap portion will remain unchanged by the command. 
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In O, these two properties were amalgamated and formulated for abstract functions on arbi- 
trary separation algebras. 

Definition 2.6 (Local Function). A local function on £ is a total function / : £ — > "P(E) T which 
satisfies the locality condition: 

oj^o' implies f(a' • c) C {er'} * /(it) 

We let LocFunc be the set of local functions on £. 

Intuitively, we think of a command to be local if, whenever the command executes safely on 
any resource element, then the command will not 'touch' any additional resource that may be added. 
Safety monotonicity follows from the above definition because, if / is safe on a (f(a) C T), then 
it is safe on any larger state, since f(cr' • a) C {a'} * f(a) C T. 

The frame property follows by the fact that the additional state a' is preserved in the output 
of f(a' • a). Note, however, that the C ordering allows for reduced non-determinism on larger 
states. This, for example, is the case for the AD command from the introduction which allocates 
a cell, assigns its address to stack variable x, and then deallocates the cell. On the empty heap, its 
result would allow all possible values for variable x. However, on the larger heap where cell 1 is 
already allocated, its result would allow all values for x except 1, and we therefore have a more 
deterministic outcome on this larger state. 

Lemma 2.7. Locality is preserved under sequential composition, non-deterministic choice and 
Kleene-star, which are defined as 

if \( \ - / T = T 

Ui9K<r)-<y \_\{g{a') \a' G f(a)} otherwise 
(f + g)(a)=f(a)Ug(a) 

/» = |J/» 

n 

Example 2.8 (Separation algebras and local functions). 

(1) Plain heap model. A simple example is the separation algebra of heaps (H,»,uh), where 
H = L ^fi n Val are finite partial functions from a set of locations L to a set of values Val 
with L C Val, the partial operator • is the union of partial functions with disjoint domains, and 
the unit uh is the function with the empty domain. For h € H, let dom(h) be the domain of h. 
We write I i— > v for the partial function with domain {7} that maps / to v. For h\,li2 G H, if 
h,2 di hi then h\ — l%2 = h\ \dom{h 1 )-dom(h 2 )- A n example of a local function is the dispose[l] 
command that deletes the cell at location I: 

{h-(l^v)} hh(l^v) 
T otherwise 



dispose[l](h) 



The function is local: if h >t (1 1— ► v) then dispose [l](h) = T, and dispose [l](h' • h) C T. 
Otherwise, dispose[l]{h' • h) = {(h! • h) - (I h-> v)} C {h 1 } * {h - (I h-» v)} = {ti} * 
dispose[l] (h). 

(2) Heap and stack. There are two approaches to modelling the stack in the literature. One is to 
treat the stack as a total function from variables to values, and only combine two heap and stack 
pairs if the stacks are the same. The other approach, which we use here, is to allow splitting 
of the variable stack and treat it as part of the resource. We can incorporate the variable stack 
into the heap model by using the set H = L U Var ^fi n Val, where L and Val are as before 
and Var is the set of stack variables {x, y, z, ...}. The • operator combines heap and stack 
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portions with disjoint domains, and is undefined otherwise. The unit uh is the function with 
the empty domain which represents the empty heap and empty stack. Although this approach 
is limited to disjoint reference to stack variables, this constraint can be lifted by enriching the 
separation algebra with permissions 0. However, this added complexity using permissions can 
be avoided for the discussion in this paper. For a state h € H,we let loc(h) and var(h) denote 
the set of heap locations and stack variables in the domain of h respectively. In this model we 
can define the allocation and deallocation commands as 

{h' • Xh-^l • l\— >w | w E Val, I G L\loc(h')} h = h! • x\— >v 
T otherwise 



new[x](h) 



dispose[x](h) 



{hi • x^— >Z} h = h' »xi—*l»h 
T otherwise 



Commands for heap mutation and lookup can be defined as 

r i/r\ f \h' • xt— >Z • Zh- >v\ h = h' • x i — s- Z • Zi— no 

mutate[x,v](h) = { y 

looku P [x,y}(h) = [ \ Qtherwise 

The AD command described in the introduction, which is the composition neu;[x]; dispose [x], 
corresponds to the following local function 

{h! • xi— >l | / € L\loc(h')} h = h! • xi— >v 
T otherwise 



AD(h) 



Note that in all cases, any stack variables that the command refers to should be in the stack in 
order for the command to execute safely, otherwise the command will be acting non-locally. 
(3) Integers. The integers form a separation algebra under addition with identity 0. In this case 
we have that any 'adding' function /(x) = {x + c} that adds a constant c is local, while a 
function that multiplies by a constant c, /(x) = {cx}, is non-local in general. However, the 
integers under multiplication also form a separation algebra with identity 1, and in this case 
every multiplying function is local but not every adding function. This illustrates the point that 
the notion of locality of commands depends on the notion of separation of resource that is being 
used. 



2.2. Predicates, Specifications and Local Hoare Reasoning. We now present the local reasoning 
framework for local functions on separation algebras. This is an adaptation of Abstract Separation 
Logic I0, with some minor changes in formulation for the purposes of this paper. Predicates over 
separation algebras are treated simply as subsets of the separation algebra. 

Definition 2.9. A predicate p over £ is an element of the powerset "P(S). 

Note that the top element T is not a predicate and that the * operator, although defined on 
V(T,) T x V(T,) T — > V(T,) T , acts as a binary connective on predicates. We have the distributive 
law for union that, for any X C V(E), 

(|J x) * p = [_\{x * p | x e x} 

The same is not true for intersection in general, but does hold for precise predicates. A predicate is 
precise if, for any state, there is at most a single substate that satisfies the predicate. 
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Definition 2.10 (Precise predicate). A predicate p G 'P(E) is precise iff, for every a G E, there 
exists at most one <7 P G p such that <7 P ^ ex. 

Thus, with precise predicates, there is at most a unique way to break a state to get a substate 
that satisfies the predicate. Any singleton predicate {a} is precise. Another example of a precise 
predicate is {I i— >t; j u G for some /, while {I \-^v \ I G L} for some t> is not precise. 

Lemma 2.11 (Precision characterization). A predicate p is precise iff, far all X C P(E), (f~| X) * 
P = n{ x * p \ x £ X} 

Proof. We first show the left to right direction. Assume p is precise. We have to show that for all 
X C "P(E), (fl -X") * P = n{ x *P | x G X}. Assume a G (|~~| X) * p. Then there exist a\, a 2 
such that (j = {Ti • o"2 and <ti G fl X and 02 G p. Thus for all x G X, <r G x * p, and hence 
<7 G \~]{x * p I x G X}. Now assume cr G fll^ * P I x 6 Then cr G x * p for all x G X. Hence 
there exists <ri ^ <r such that <7i G p. Since p is precise, <7i is unique. Let = — <J\. Thus we 
have a"2 €= x for all x G X, and so 02 G |~~| X. Hence we have a G (|~| X) * p. 

For the other direction, we assume that p is not precise and show that there exists an X such 
that (PI X) * p 7^ [~|{x * p j x G X}. Since p is not precise, there exists a G S such that, for two 
distinct eri, a% G p, we have a\ < a and o"2 -< a. Let <r^ = a — o~\ and cr^ = a — o"2- Now let 
X = {{0^}, {<t 2 }}. Since a G {er^}*pand<7 G {o~' 2 }*p, we have a G r~|{x*p | x G X}. However, 
because of the cancellation property, we also have that a[ ^ a' 2 , and so (|~| X) *p = 0*p = 0. 
Hence, a G" (|~~| X) * p, and we therefore have (f] X) * p 7^ fll^ * p | x G X}. □ 

Our Hoare reasoning framework is formulated with tuples of pre- and post- conditions, rather 
than the usual Hoare triples that include the function as in O. In our case the standard triple shall 
be expressed as a function / satisfying a tuple (p, q), written / (= (p, q). The reason for this is that 
we shall be examining the properties that a pre- and post- condition tuple may have with respect to a 
given function, such as whether a given tuple is complete for a given function. This approach is very 
similar to the notion of the specification statement (a Hoare triple with a 'hole') introduced in [12], 
which is used in refinement calculi, and was also used to prove completeness of a local reasoning 
system in |[2T1 . 

Definition 2.12 (Specification). Let E be a separation algebra. A statement on E is a tuple (p, q), 
where p, q G "P(E) are predicates. A specification on E is a set of statements. We let $s = 
V(V(Ti) x "P(E)) denote the set of all specifications on E. We shall exclude the subscript when it 
is clear from the context. The domain of a specification is defined as D{4>) = \_\{p \ (p, q) G 4>}. 
Domain equivalence is defined as (f> =0 ifi iff D(<f>) = D(ip). 

Thus the domain is the union of the preconditions of all the statements in the specification. It 
is one possible measure of size: how much of E the specification is referring to. We also adapt the 
notion of precise predicates to specifications. 

Definition 2.13. A specification is precise iff its domain is precise. 

Definition 2.14 (Satisfaction). A local function / satisfies a statement (p, q), written / |= (p, q), 
iff, for all a G p, f(a) C q. It satisfies a specification </>£<!>, written / |= (j), iff / |= (p, q) for all 

(p, q) G 4>. 

Definition 2.15 (Semantic consequence). Let p, q,r,s G 'P(E) and <fi, ip G <5. Each judgement 
(p> <l) \= ( r > s )> H (P) <?)> (P) 9) H 0» an d ^ H V 7 holds iff all local functions that satisfy the left 
hand side also satisfy the right hand side. 

Proposition 2.16 (Order Characterization), f Q g iff for all p, q G 'P(E), g \= (p, q) implies 
f il'-'D- ' □ 
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For every specification 4>, there is a 'best' local function satisfying 4> (lemma l2.18l ). in the sense 
that all statements that the best local function satisfies are satisfied by any local function that satisfies 
(j). For example, in the heap and stack separation algebra of example 12781 2. consider the specification 

<ftnew = {({ Xh ^v}, {x\— >l • /i— >u> \ I G L,w G Val}) | v G Val} 

There are many local functions that satisfy this specification. Trivially, the local function that always 
diverges satisfies it. Another example is the local function that assigns the value w of the newly 
allocated cell to be 0, rather than any non-deterministically chosen value. However, the best local 
function for this specification is the new[x] function described in example lZ8l 2. as it can be checked 
that for any local function / satisfying 4> new , we have / C new[x]. The notion of the best local 
function shall be used when addressing questions about completeness of specifications. It is adapted 
from [9], except that we generalise to the best local function of a specification rather than a single 
pre- and post-condition pair. 

Definition 2.17 (Best local function). For a specification <fi € <3>, the best local function of 4>, written 
bla[ifi}, is the function of type £ — > 7 3 (S) T defined by 

bla[4>}(a) = * q \ a = a' . a", a" € p, (p, q) G </>} 

As an example, it can be checked that the best local function bla[(j) new ] of the specification 
(knew given above is indeed the function new[x] described in example [2781 2. The following lemma 
presents the important properties which characterise the best local function. 

Lemma 2.18. Let (j) G The following hold: 

• bla[(f)] is local 

• bla[4>] \= <p 

• if f is local and f \= (j> then f C bla[<p] 

Proof. To show that bla[<p] is local, consider a\, o~i such that <7i#<72- We then calculate 

bla[4>](ai • a 2 ) = \~\{W} * q \ ai • a 2 = a' • a", a" £ p, (p, q) £ (j)} 

C IIU^i • o"'} *q\a 2 = a'" • a", a" G p, (p, q) G 0} 

= nU^i} * W'"} *?k2 = a"' • a\ a" G p, (p, g) G $} 

= Wi}* mW'"} *3k2 = a"' • a\ a" G p, (p, g) G $} 

= {ai } * bla[4>](a 2 ) 

In the second-last step we used the property that {<7i} is precise (lemma |2.1 lb . 

To show that bla[4>] satisfies <p, consider (p, g) G <fi and a £ p. Then bla[4>](a) □ {n} * q = q. 
For the last point, suppose / is local and / (= <^>. Then, for any a such that cr = o~\ • o"2 and 

o 2 G p and (p, g) G 0, 

/O) = f( a i • °"2) 

E {0-l}*/(<72) 

E {o-i}*^ 

Thus /(<t) C 6k[^](<r). 

In the case that there do not exist o~\, a 2 such that cr = o\ • a 2 and cr2 G D then 

&fo[0]f» = 110 
= T 



So in this case also /(cr) C &Za[0](cr). 



□ 
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(p, g) 


p' C p (p, (?) gEq' 


(pi,qi), alii € / 


(Pi,qi), alii E 1,1 ^0 


(p * r, q * r) 


(pV) 




(rii6jw>ni6/?0 


Frame 


Consequence 


Union 


Intersection 



Figure 1 : Inference rules for local Hoare reasoning 



Lemma 2.19. For E $ and Wa[0] |= (p, g) 44> |= (p, g). 

&/a[</>] |= (p,g) 

44> for all local functions /, / |= </> =3* f (= (p, g) (by lemma |27T8T > 

O </i|=(p,g) (by definition EB). □ 

The inference rules of the proof system are given in figure [TJ Consequence, union and in- 
tersection are adaptations of standard rules of Hoare logic. The frame rule is what permits local 
reasoning, as it codifies the fact that, since all functions are local, any assertion about a separate 
part of resource will continue to hold for that part after the application of the function. We omit the 
standard rules for basic constructs such as sequential composition, non-deterministic choice, and 
Kleene-star which can be found in 

Definition 2.20 (Proof-theoretic consequence). For predicates p, q, r, s and specifications (j), ifi, each 
of the judgements (p, g) h (r,s),4> l~~ (p, g), (p, g) l~ <\>, and (j) \- ip holds iff the right-hand side is 
derivable from the left-hand side by the rules in figure [TJ 

The proof system of figured] is sound and complete with respect to the satisfaction relation. 

Theorem 2.21 (Soundness and Completeness). <p h (p, g) -4=> <fi \= (p, g) 

Proof. Soundness can be checked by checking each of the proof rules in figure [TJ The frame rule is 
sound by the locality condition, and the others are easy to check. 

For completeness, assume we are given <fi \= (p, g). By lemma [2T9l we have bla[<p] \= (p, g). 
So for all a E p, bla[<p](a) C. q, which implies 

\Jbla[cf>}(o-)^q (*) 
Now we have the following derivation: 

(r, s) for all (r, s) E <p 
({</}, s) for all a' £ r, (r, s) e cf> 
({a — a'} * {c'}, {a — a'} * s) for all a' e r, (r, s) e 4>,a' x a. a e p 

a'}* {a 1 }, j | {er — er'} * s) forallerep 

a Xcr 
cr G r 
(r,s)£0 

({a}, 6Za[0] ((j)) forallo-Gp 

(|JW,|J 6faM(a)) 

(P. 



( n {«- 

a' ^(7 
a Gr 

(r,s)G0 
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The last step in the proof is by (*) and the rule of consequence. Note that the intersection rule 
can be safely applied because the argument of the intersection is necessarily non-empty (if it were 
empty then bla[<p](a) = T, which contradicts bla[4>](a) Q q). □ 



3. Properties of Specifications 

We discuss certain properties of specifications as a prerequisite for our main discussion on foot- 
prints in Section 4. We introduce the notion of a complete specification for a local function, which is 
a specification from which follows every property that holds for the function. However, a function 
may have many complete specifications, so we introduce a canonical form for specifications. We 
show that of all the complete specifications of a local function, there exists a unique canonical com- 
plete specification for every domain. As discussed in the introduction, an important notion of local 
reasoning is the small specification which completely describes the behaviour of a local function by 
mentioning only the footprint. Thus, as a prerequisite to investigating their existence, we formalise 
small specifications as complete specifications with the smallest possible domain. Similarly, we 
define big specifications as complete specifications with the biggest domain. 

Definition 3.1 (Complete Specification). A specification <fi € $ is a complete specification for /, 

written complete(4>, /), iff, for all p, q G P(S),/ \= (p, q) <J4> (= (p, q). Let $ comp (/) be the set 
of all complete specifications of f. 

(f> is complete for / whenever the tuples that hold for / are exactly the tuples that follow from (p. 
This also means that any two complete specfications <p and tp for a local function are semantically 
equivalent, that is, <fi =11= ip. The following proposition illustrates how the notions of best local 
action and complete specification are closely related. 

Proposition 3.2. For all <j) E $ and local functions f, complete^, /)•£>•/ = bla\<f>\. 

Proof. Assume / = bla[<ft]. Then, by lemma [2T9l we have that (j> is a complete specification for /. 

For the converse, assume complete{4>, /). We shall show that for any a € S, /(er) = 
bla[4>](o). 

case 1: f(a) = T. If bla[4>](a) / T, then bla[4>] \= ({a},bla[4>](a)). This means that 
4> \= ({a}, bla[4>](a)) (by lemma |2T9l ), and so / \= ({a}, bla[4>](a)), but this is a contradiction. 
Therefore, bla[(p](a) = T 

case 2: bla[<j>](a) = T. If f(a) ^ T, then / (= ({a}, /(<x)). This means that cp \= 
({cr}, f(a)), and so bla[<p] (= ({<r}, f(c)), but this is a contradiction. Therefore, f(a) = T 

case 3: bla[(p](a) / T and /(a) / T. We have 

/ h (M, /(*)) 
=> WoMh(W./W) 



^ / |= ({cr},6k[0](cj)) 
Therefore f{a) = bla[(p}{a) □ 
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Any specification is therefore only complete for a unique local function, which is its best local 
action. However, a local function may have lots of complete specifications. For example, if is a 
complete specification for / and (p, q) G 4, then 4 U {(p, q')} is also complete for / if q C q'. For 
this reason it will be useful to have a canonical form for specifications. 

Definition 3.3 (Canonicalisation). The canonicalisation of a specification <fi is defined as (j) can = 
{({cr}, bla[4>\{a)) | a G D ((/))}. A specification is in canonical form if it is equal to its canonicali- 
sation. Let $ can (/) denote the set of all canonical complete specifications of /. 

Notice that a given local function does not necessarily have a unique canonical complete spec- 
ification. For example, both {({^},{^})} and {({u}, {u}), ({a}, {a})}, for some a G E, are 
canonical complete specifications for the identity function. 

Proposition 3.4. For any specification 4, we have 4 =11= (^can- 
Proof. We first show 4 N 4'can- For any (p,q) G 4'can, (p,q) is of the form ({cr}, bla[4](a)) for 
some a G D{4>). So we have bla[4>] \= (p, q), and so c6 |= (p, q) by lemma I27T91 

We now show 4can 1= 4- For an y (p,q) G </>> we h ave 6/a[c6] |= (p, g). So for all a G p, 
6Za[c/>](er) C c/, which implies 

[J E 5 (*) 

Now we have the following derivation: 

4can 

({a} , bla[4](cr)) foraiio-gp 
(\J{a},\Jbla[4](a)) 

v£p a<=p 

(P) ?) 

The last step is by (*) and consequence. So we have can h c6, and by soundness (j>can \= 4- O 

Thus, the canonicalisation of a specification is logically equivalent to the specification. The 
following corollary shows that all complete specifications that have the same domain have a unique 
canonical form, and specifications of different domains have different canonical forms. 

Corollary 3.5. $ cari m is isomorphic to the quotient set & C omp(f) I — D> under the isomorphism that 
maps [4)^ D to 4 can, for every 4 G $ comp (/). 

Proof. By proposition 13.21 all complete specifications for / have the same best local action, which 
is / itself. So by the definition of canonicalisation, it can be seen that complete specifications 
with different domains have different canonicalisations, and complete specifications with the same 
domain have the same canonicalisation. This shows that the mapping is well-defined and injective. 
Every canonical complete specification 4 is a l so complete, and [4]^ D maps to 4 can = 4, so tne 
mapping is surjective. □ 

Definition 3.6 (Small and Big specifications). </> is a small specification for / iff c6 G ^comp(f) an d 
there is no tp G < 5 comp (/) such that D(ip) C D{4). A big specification is defined similarly. 

Small and big specifications are thus the specifications with the smallest and biggest domains 
respectively. The question is if/when small and big specifications exist. The following result shows 
that a canonical big specification exists for every local function. 
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Proposition 3.7 (Big Specification). For any local function f, the canonical big specification for f 
is given by hig(f) = {(M, f( a )) I f{°) C T l- 

Proof, f \= (pMg(f) is trivial to check. To show complete(4>bi g (f), /), assume / |= (p, q) for some 
p, q G Note that, for any a £ p, f(a) C g and so | | /(cr) C g. We then have the derivation 

<fc»g(/) 

({(T},/(<T)) for all /(a) CT 

(|_Jm,|J /(*-)) 

(p, 9) 

By soundness we get <Pbig(f) H (p> ?)• 'Pbig(f) has the biggest domain because / would fault on any 
element not included in (f>big(f)- EH 

The notion of a small specification has until now been used in an informal sense in local reason- 
ing papers lfl4l |U 13 as specifications that completely specify the behaviour of an update command 
by only describing the command's behaviour on the part of the resource that it affects. Although 
these papers present examples of such specifications for specific commands, the notion has so far 
not received a formal treatment in the general case. The question of the existence of small speci- 
fications is strongly related to the concept of footprints, since finding a small specification is about 
finding a complete specification with the smallest possible domain, and therefore enquiring about 
which elements of S are essential and sufficient for a complete specification. This requires a formal 
characterisation of the footprint notion, which we shall now present. 

4. Footprints 

In the introduction we discussed how the AD program demonstrates that the footprints of a local 
function do not correspond simply to the smallest safe states, as these states alone do not always 
yield complete specifications. In this section we introduce the definition of footprint that does yield 
complete specifications. In order to understand what the footprint of a local function should be, we 
begin by analysing the definition of locality. Recall that the definition of locality (definition 12.61) 
says that the action on a certain state a% imposes a limit on the action on a bigger state 02 • C\. This 
limit is {cr 2 } * as we have f{o~2 • 01) E {02} * 

Another way of viewing this definition is that for any state a, the action of the function on that 
state has to be within the limit imposed by every substate a' of a, that is, f(a) C {cr — a'} * /(cr'). 
In the case where a' = a, this condition is trivially satisfied for any function (local or non-local). 
The distinguishing characteristic of local functions is that this condition is also satisfied by every 
strict substate of cr, and thus we have 

a 1 -<a 

We define this overall constraint imposed on a by all of its strict substates as the local limit of / on 
a, and show that the locality definition is equivalent to satisfying the local limit constraint. 
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Definition 4.1 (Local limit). For a local function / on S and 6 E, the local limit of / on a is 

defined as 

Proposition 4.2. / ZocaZ <^> /(<r) C Lf(a) for all a € X 

Proof. Assume / is local. So for any a, for every a' -< a, /(a) C {0 — cr'} * f(o~'). /(f) is 
therefore smaller than the intersection of all these sets, which is Lt(o~). 

For the converse, assume the rhs and that ox • 02 is defined. If o~\ = u then f(o~i • 02) E 
{o"i} * /(°"2) and we are done. Otherwise, 02 -< o"i • 02 and we have /(01 • 02) E Lf{a\ • 02) E 

|Vi}*/M. " " " □ 

Thus for any local function / acting on a certain state 0, the local limit determines a smallest 
upper bound on the possible outcomes on 0, based on the outcomes on all smaller states. If this 
smallest upper bound does correspond exactly to the set of all possible outcomes on 0, then 
is 'large enough' that just the action of / on smaller states and the locality of / determines the 
complete behaviour of / on 0. In this case we will not think of as a footprint of /, as smaller 
states are sufficient to determine the action of / on 0. With this observation, we define footprints as 
those states on which the outcomes cannot be determined only by the smaller states, that is, the set 
of outcomes is a strict subset of the local limit. 

Definition 4.3 (Footprint). For a local function / and E S, is a footprint of /, written Ff(a), 
iff /(0) C Lf(a). We denote the set of footprints of / by F(f). 

Note that an element is therefore not a footprint if and only if the action of / on is at the 
local limit, that is f(a) = Lt(o~). 

Lemma 4.4. For any local function f, the smallest safe states of f are footprints of f. 

Proof. Let be a smallest safe state for /. Then for any a' -< 0, f(cr') = T. Therefore Lt(a) = T 
and so f(a) □ Lt[a). □ 

However, the smallest safe states are not always the only footprints. An example is the AD 
command discussed in the introduction. The empty heap is a footprint as it is the smallest safe heap, 
but the heap cell 1 1— ► v is also a footprint. 

Example 4.5 (Dispose). The footprints of the dispose [I] command in the plain heap model (exam- 
ple [278] 1 ) are the cells at location I. We check this by considering the following cases 

(1) The empty heap, uh, is not a footprint since L dispose ^{uH) = T = dispose[l](uH) 

(2) Every cell I \— > v for some v is a footprint 

L dis P ose[i}{ l ^ v ) = {l^v}* dispose[l](u H ) = {l^v} * T = T 
dispose[l](l^v) = {u H } C L dispose[l] (l^v) 

(3) Every state such that a >~ (1 1— > v) for some v is not a footprint 

Fdispose[i] (cr) Q {cr — (I t-^- v)} * dispose[l](li—>v) = {0 — (l*—>v)} = dispose[l](a) 

By proposition 14.21 we have L dispose m(a) = dispose[l](a). The intuition is that does not 
characterise any 'new' behaviour of the function: its action on is just a consequence of its 
action on the cells at location I and the locality property of the function. 
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(4) Every state cr such that a )f (It— >v) for some v is not a footprint 

Ldis P ose[i]{v) E {<?} * dispose[l](u H ) = {cr}*T = T = dispose [I] (a) 
Again by proposition @~1 L dispose[l] (a) = dispose[l](a). 

Example 4.6 (AD command). The AD (Allocate-Deallocate) command was defined on the heap 
and stack model in example [2T81 2. We have the following cases for cr. 

(1) a >£_ x^>v\ for some v\ is not a footprint, since Lad(o~) = T = AD (a). 

(2) a = x>-*v\ for some v\ is afootprint since Lad{&) = ~T (by case (1)) and AD {a) = {xi— >w \ 
w G L} C L^ D (cr). 

(3) a = 1 1— > v\ • x i— > V2 for some /, v\ , t>2 is a footprint. 

Lad(&) = {l^vi} * AD(x^V2) 

(AD faults on all other elements strictly smaller than cr) 
= {Zi— * {xi— >w | if G L} 
= {/M!)]i3;wi«|weL} 

AD(cr) = {lt-^vi • xt-^w \ W £ L,w ^ 1} \Z Lad(o~) 

(4) cr = Zi • x\— >v\ for some v\, and where |Zoc(Zi)| > 1, is not a footprint. 

Lad(o~) E j j {(Zt — Zi— >w} * j4L)(Zi-^t> • xi— 

= {Zi • xi— >u) | io /oc(Zi)} = j4L>(ct) 

By proposition 14.21 we get Lad{°~) = AD {a). 

Our footprint definition therefore works properly for these specific examples. Now we give the 
formal general result which captures the underlying intuition of local reasoning, that the footprints 
of a local function are the only essential elements for a complete specification of the function. 

Theorem 4.7 (Essentiality). The footprints of a local function are the essential domain elements for 
any complete specification of that function, that is, 

F f (a) o V(f>e<S>co mp (f)-v £ D(0) 
Proof. Assume some fixed / and a. We establish the following equivalent statement : 

-F/(cr) & 30 G ^ C omp(f)- a D(<f>) 

We first show the right to left implication. So assume is a complete specification of / such that 
cr D{4>). Since complete^, f), by proposition 13.21 we have / = bla[4>]. So 

/O) = n W-vi}*Q 

a\<a,a\ £p,(p,g)e</> 

Now for any set {a — o~\ } * q in the above intersection, we have that a\ G p, and (p, q) G for some 
p. Since 01 G p, we have /(<ti) E Q, and therefore {a — a{\ * /(cri) C {cr — ax} * q. Also, o\ ^ a, 
because otherwise we would have cr G p, which would contradict the assumption that cr ^ D{4>). 
So cri -< cr and we have 

(cr) E {cr - cri} * /(cri) C {cr - cri} * q 

So the local limit is smaller than each set {a — o\ } * q in the intersection, and therefore it is smaller 
than the intersection itself: Lf(a) Q /(c)- We know from proposition 14.21 that f(a) C Lf(a), so 
we get /(cr) = Lf(a) and therefore -<Ff(a). 
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We now show the left to right implication. Assume that a is not a footprint of /. We shall use 
the big specification, 4>bi g (f)> to construct a complete specification of / which does not contain a in 
its domain. If f(a) = T then the big specification itself is such a specification, and we are done. 
Otherwise assume /(cr) C T. Let 4> = (f>big{f) /{({ cr } > f( a ))}- It can be seen that a ^ D(4>). Now 
we need to show that 4> is complete for /. For this it is sufficient to show cf> Hh <j>ug(f) because we 
know that 4>Ug{f) is complete for /. The right to left direction, <fi H <pug{f)^ i s trivial. 

For 4> l~ $big(f)> we just need to show <p h ({cr}, /(cr)). We have the following derivation: 

t 

({*'}, f ((?')) torall*' <*,f(a>)QT 

({cr - cr'} * {cr'}, {cr — cr'} * /(cr')) for all a' -< cr, /(cr') C T 

" n w-<?'}*f {<?')) 

The intersection rule can be safely applied as there is at least one a' -< a such that /(cr') □ T. 
This is because /(cr) □ T, so if there were no such cr' then a would be a footprint, which is a 
contradiction. Note that the last step uses the fact that 

|~| W~ Cr'} * /(cr') = [I W ~ * fW) = L f (a) 

because adding the top element to an intersection does not change its value. Since cr is not a 
footprint, f(a) = Lf(a), and so (p h ({cr}, /(cr)). □ 

5. Sufficiency and Small Specifications 

We know that the footprints are the only elements that are essential for a complete specification 
of a local function in the sense that every complete specification must include them. Now we ask 
when a set of elements is sufficient for a complete specification of a local function, in the sense that 
there exists a complete specification of the function that only includes these elements. In particular, 
we wish to know if the footprints alone are sufficient. To study this, we begin by identifying the 
notion of the basis of a local function. 

5.1. Bases. In the last section we defined the local limit of a function / on a state cr as the constraint 
imposed on / by all the strict substates of a. This was used to identify the footprints as those states 
on which the action of / cannot be determined by just its action on the smaller states. We are now 
addressing the question of when a set of states is sufficient to determine the behaviour of / on any 
state. We shall do this by identifying a fixed set of states, which we call a basis for /, such that the 
action of / on any state a can be determined by just the substates of a taken from this set (rather 
than all the strict substates of a). Thus we first generalise the local limit definition to consider the 
constraint imposed by only the substates taken from a given set. 

Definition 5.1 (Local limit imposed by a set). For a subset A of a separation algebra S, the local 
limit imposed by A on the action of / on cr is defined by 

laAct)= n ^-^}*jV) 
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Sometimes, the local limit imposed by A is enough to completely determine /. In this case, we 
call A a basis for /. 

Definition 5.2 (Basis). A C £ is a basis for /, written basis(A, /), iff La,/ = /• 

This means that, when given the action of / on elements in A alone, we can determine the 
action of / on any element in £ by just using the locality property of /. Every local function has 
at least one basis, namely the trivial basis £ itself. We next show the correspondence between the 
bases and complete specifications of a local function. 

Lemma 5.3. Let (f>Aj = {({c}, f(o)) | o G A,f(a) C T}. Then we have basis(A, f) 4^ 
complete(4>Aj , /)■ 

Proof. We have L^j = bla[4>A.f] by definition. The result follows by proposition 13.21 and the 
definition of basis. □ 

For every canonical complete specification cp 6 $ cara (/), we have = 4>D(4>),f- By the previous 
lemma it follows that D{<j)) forms a basis for /. The lemma therefore shows that every basis deter- 
mines a complete canonical specification, and vice versa. This correspondence also carries over to 
all complete specifications for / by the fact that every domain-equivalent class of complete spec- 
ifications for / is represented by the canonical complete specification with that domain (corollary 
I3.5I ). By the essentiality of footprints (theorem l4.7l ). it follows that the footprints are present in every 
basis of a local function. 

Lemma 5.4. The footprints of f are included in every basis off. 

Proof. Every basis A of / determines a complete specification for / the domain of which is a subset 
of A. By the essentiality theorem (14.7b . the domain includes the footprints. □ 

The question of sufficiency is about how small the basis can get. Given a local function, we 
wish to know if it has a smallest basis. 

5.2. Well-founded Resource. We know that every basis must contain the footprints. Thus if the 
footprints alone form a basis, then the function will have a smallest complete specification whose 
domain are just the footprints. We find that, for well-founded resource models, this is indeed the 
case. 

Theorem 5.5 (Sufficiency I). If a separation algebra £ is well-founded under the ^ relation, then 
the footprints of any local function form a basis for it, that is, f = L F ^j. 

Proof. Assume that £ is well-founded under We shall show by induction that f(a) = L F ^j(a) 
for all a € £. The induction hypothesis is that, for all a' -< a, f{o~') = L F ^j(a') 

case 1: Assume a is a footprint of /. We have f(a) = {u} * /(er) is in the intersection in the 
definition of L F ^j(a), and so L F ^^j{a) C /(c). We have by locality that f(a) C L F ^^j(a), 
and so /(a) = L F{f)J (a). 
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case 2: Assume a is not a footprint of /. We have 
/(a) = Lf(a) (because a is not a footprint off) 



n <>- ^ * /(o 



= n «<r - *o * n ^' - * /co) 



(fry f/je induction hypothesis) 



cr'^a <r"<cr',Ff{cr") 



(fry precision of {a — a'}) 



v'<cj,a"<a',F f (<T") 



j | {cr — o""} * f{o~") (because a is not 

u"<a,F;(u") 



a footprint off) 



= L F{f)A (X ) 



□ 



In section [3l the notions of big and small specifications were introduced (definition I3.6I ). and the 
existence of a big specification was shown (proposition 13.71) . We are now in a position to show 
the existence of the small specification for well-founded resource. If S is well-founded, then every 
local function has a small specification whose domain is the footprints of the function. 

Corollary 5.6 (Small specification). For well-founded separation algebras, every local function has 
a small specification given by <t>F(J),f- 

Proof. 4>F(f)j i s complete by theorem [5751 and lemma 1531 It has the smallest domain by the essen- 
tiality theorem. □ 

Thus, for well-founded resource, the footprints are always essential and sufficient, and specifi- 
cations need not consider any other elements. In practice, small specifications may not always be in 
canonical form even though they always have the same domain as the canonical form. For example, 
the heap dispose command can have the specification {({Zi— >v \ v S Val}, {«#})} rather than the 
canonical one given by {({£>— {uh}) I v G Val}. 

In practical examples it is usually the case that resource is well-founded. A notable exception is 
the fractional permissions model in which the resource includes 'permissions to access', which 
can be indefinitely divided. We next investigate the non-well-founded case. 

5.3. Non-well-founded Resource. If a separation algebra is non-well-founded under the ^ rela- 
tion, then there is some infinite descending chain of elements a\ >- oi y 0-3.... From a resource- 
oriented point of view, there are two distinct ways in which this could happen. One way is when 
it is possible to remove non-empty pieces of resource from a state indefinitely, as in the separation 
algebra of non-negative real numbers under addition. In this case any infinite descending chain 
does not have more than one occurrence of any element. Another way is when an infinite chain 
may exist because of repeated occurrences of some elements. This happens when there is negativity 
present in the resource: some elements have inverses in the sense that adding two non-unit elements 
together may give the unit. An example is the separation algebra of integers under addition, where 
1 + (—1) = 0, so adding -1 to 1 is like adding negative resource. Also, since 1 = + 1, we have 
that 1 y y 1... forms an infinite chain. 
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Definition 5.7 (Negativity). A separation algebra £ has negativity iff there exists a non-unit ele- 
ment a £ £ that has an inverse; that is, a ^ u and a • a' = u for some a' € S. We say that £ is 
non-negative if no such element exists. 

All separation algebras with negativity are non-well-founded because, for elements a and a' 
such that a • a' = u, the set {a, u} forms an infinite descending chain (there is no least element). 
All well-founded models are therefore non-negative. For the general non-negative case, we find that 
either the footprints form a basis, or there is no smallest basis. 

Theorem 5.8 (Sufficiceny II). IfT, is non-negative then, for any local f, either the footprints form 
a smallest basis or there is no smallest basis for f. 

Proof. Let A be a basis for / (we know there is at least one, which is the trivial basis £ itself). If A 
is the set of footprints then we are done. So assume A contains some non-footprint fx. We shall show 
that there exists a smaller basis for /, which is A/{/x}. So it suffices to show f(a) = L A /^j{a) 
for all a € £. 

case 1: fx ^ a. We have 

f(a) = L AJ (a)= |~| W -<?'}*!(*')= |~| W-a'}*f(a') = L A/MJ (a) 

as desired 

case 2: fx < a. This implies 

/(*)=( n {<7-</}*iV)) n {{a -M> */(/*)) 

°-'^o\cr'eA/{/i} 

It remains to show that the right hand side of this intersection contains the left hand side: 
{a — fx} * f(fx) = {o~ — fx} * Lf(fi) (because // is not a footprint of f) 

= {a - fx} * |~| if - * /V) 

= {<r - m> * n - ^} * n v - a "y * /(*")) 

(case 1 applies because £ is non-negative, so a' -< fx =4* fx ^ a') 
= | j | | {a — fx} * {fx — a'} * {a — a"} * f{cr") (by precision) 

<T'^ l Mcr"<cr',<r"eA/{ti} 

= n n ^ - * /(o 

fr'^fl(j"^',i7"6A/{/l} 

n ^ - * 

□ p| {a-a"}*f(o-") □ 

cr"^cr,<r"GA/{^} 

Corollary 5.9 (Small Specification). If £ is non-negative, then every local function either has a 
small specification given by 4>F(f),f or there is no smallest complete specification for that function. 

Example 5.10 (Permissions). The fractional permissions model H is non-well-founded and non- 
negative. It can be represented by the separation algebra HPerm = L ^-fi n Vol x P where L 
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and Val are as in example 12.81 and P is the interval (0, 1] of rational numbers. Elements of P 
represent 'permissions' to access a heap cell. A permission of 1 for a cell means both read and write 
access, while any permission less than 1 is read-only access. The operator • joins disjoint heaps 
and adds the permissions together for any cells that are present in both heaps only if the resulting 
permission for each heap cell does not exceed 1 ; the operation is undefined otherwise. In this case, 
the write function that updates the value at a location requires a permission of at least 1 and faults 
on any smaller permission. It therefore has a small specification with precondition being the cell 
with permission 1 . The read function, however, can execute safely on any positive permission, no 
matter how small. Thus, this function can be completely specified with a specification that has a 
precondition given by the cell with permission z, for all < z < 1. However, this is not a smallest 
specification, as a smaller one can be given by further restricting < z < 0.5. We can therefore 
always find a smaller specification by reducing the value of z but keeping it positive. 

For resource with negativity, we find that it is possible to have small specifications that include 
non-essential elements (which by theorem 14771 are not footprints). These elements are non-essential 
in the sense that complete specifications exist that do not include them, but there is no complete 
specification that includes only essential elements. 

Example 5.11 (Integers). An example of a model with negativity is the separation algebra of in- 
tegers (Z, + ,0). In this case there can be local functions which can have small specifications that 
contain non-footprints. Let / : Z — > 7 7 (Z) T be defined as fin) = {n + c} for some constant c, as in 
example [2781 / is local, but it has no footprints. This is because for any n, /(re) = 1 + /(re — 1), and 
so n is not a footprint of /. However, / does have small specifications, for example, {({0}, {c})}, 
{({5}, {5 + c})}, or indeed {({re}, {n + c})} for any re G Z. So although every element is non- 
essential, some element is required to give a complete specification. 

6. Regaining Safety Footprints 

In the introduction we discussed how the notion of footprints as the smallest safe states - the 
safety footprint- is inadequate for giving complete specifications, as illustrated by the AD example. 
For this reason, so far in this paper we have investigated the general notion of footprint for arbi- 
trary local functions on arbitrary separation algebras. Equipped with this general theory, we now 
investigate how the regaining of safety footprints may be achieved with different resource modelling 
choices. We start by presenting an alternative model of RAM, based on an investigation of why the 
AD phenomenon occurs in the standard model. We then demonstrate that the footprints of the AD 
command in this new model do correspond to the safety footprints. In the final section we identify, 
for arbitrary separation algebras, a condition on local functions which guarantees the equivalence 
of the safety footprint and the actual footprint. We then show that if this condition is met by all the 
primitive commands of a programming language then the safety footprints are regained for every 
program in the language, and finally show that this is indeed the case in our new RAM model. 

6.1. An alternative model. In this section we explore an alternative heap model in which the safety 
footprints do correspond to the actual footprints. We begin by taking a closer look at why the AD 
anomaly occurs in the standard heap and stack model described in example 12.81 2. Consider an 
application of the allocation command in this model: 

new [x] (42 i— > v • x i— > w) = {42 i— >Z«Zi— >r|Z€ L\{42}, r £ Val} 
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The intuition of locality is that the initial state 42 i— ► v • x i-> w is only describing a local 
region of the heap and the stack, rather than the whole global state. In this case it says that the 
address 42 is initially allocated, and the definition of the allocation command is that the resulting 
state will have a new cell, the address of which can be anything other than 42. However, we notice 
that the initial state is in fact not just describing only its local region of the heap. It does state that 
42 is allocated, but it also implicitly states a very global property: that all other addresses are not 
allocated. This is why the allocation command can choose to allocate any location that is not 42. 
Thus in this model, every local state implicitly contains some global allocation information which 
is used by the allocation command. In contrast, a command such as mutate does not require this 
global 'knowledge' of the allocation status of any other cell that it is not affecting. Now the global 
information of which cells are free changes as more resource is added to the initial state, so this can 
lead to program behaviour being sensitive to the addition of more resource to the initial state, and 
this sensitivity is apparant in the case of the AD program. 

Based on this observation, we consider an alternative model. As before, a state I ^ v will 
represent a local allocated region of the heap at address I with value v. However, unlike before, 
this state will say nothing about the allocation status any locations other than I. This information 
about the allocation status of other locations will be represented explicitly in a free set, which will 
contain every location that is not allocated in the global heap. The model can be interpreted from 
an ownership point of view, where the free set is to be thought of as a unique, atomic piece of 
resource, ownership of which needs to be obtained by a command if it wants to do allocation or 
deallocation. An analogy is with the permissions model: a command that wants to read or write 
to a cell needs ownership of the appropriate permission on that cell. In the same way, in our new 
model, a command that wants to do allocation or deallocation needs to have ownership of the free 
set: the 'permission' to see which cells are free in the global heap so that it can choose one of them 
to allocate, or update the free set with the address that it deallocates. On the other hand, commands 
that only read or write to cells shall not require ownership of the free set. 

Example 6.1 (Heap model with free set). Formally, we work with a separation algebra (H, ; uh)- 
Let L, Var and Vol be locations, variables and values, as before. States h G H are given by the 
grammar: 

h ::= uh \ l*—>v\xi—>v\F\h»h 
where I G L, v G Val, x G Var and F G V(L). The operator • is undefined for states with 
overlapping locations or variables. Let loc(h) and var(h) be the set of locations and variables in 
state h respectively. The set F carries the information of which locations are free. Thus we allow at 
most one free set in a state, and the free set must be disjoint from all locations in the state. So h • F 
is only defined when loc(h) n F = and h ^ h! • F' for any h! and F' . We assume • is associative 
and commutative with unit uh • 

In this model, the allocation command requires ownership of the free set for safe execution, 
since it chooses the location to allocate from this set. It removes the chosen address from the free 
set as it allocates the cell. It is defined as 

{h! • x^l •/!-»■ w »F\{1} | w G Val, I G F} h = h! mx^vF 
T otherwise 

Note that the output states h' »x>— > Z • Z h- >w • F\{1} are defined, since we have / and the 

input state h! • x i— > v • F implies that loc(h') is disjoint from The deallocation command 



new[x](h) 



FOOTPRINTS IN LOCAL REASONING 



21 



also requires the free set, as it updates the set with the address of the cell that it deletes: 

{h! • x^l • F U {/}} h = h! • x^l • lh->v • F 



dispose[x](h) 



T 



otherwise 



Again, the output states are defined, since the input state implies that loc(h')U{l} is disjoint from F, 
and so loc(h') is disjoint from FU{1}. Notice that in this model, only the allocation and deallocation 
commands require ownership of the free set, since commands such as mutation and lookup are 
completely independent of the allocation status of other cells, and they are denned exactly as in 
example 12.81 2: 

>v} h = h' • x i — > Z • l\—*w 



mutate[x, v](h) 
lookup[x, y](h) 



{h> 
T 

{h> 
T 



h = h' • a; i — ^ Z • l\- 
otherwise 

h = b! • x\ 

otherwise 



■Imh 



> w 



Lemma 6.2. The functions new[x], dispose[x], mutate[x, v] and lookup[x, y] are all local in the 
separation algebra (H, •, upfront example[ 



Proof. Let / = neu>[x] and assume h'#h. We want to show f(h! • h) C {h'} * f(h). Assume 
h = h" *x*—>v*F for some h" , x, I, v and F, because otherwise f(h) = T and we are done. So 
we have 

f(h'*h) = {h' • h" • xt-^l • It-^w • F\{1} | w e Val,l G F] 

= {h'} * {h" • x^l • It-tw F\{1} | w G Val,l e F} 
= {h'}*f(h) 

The other functions can be checked in a similar way. □ 



AD(h) 



6.2. Safety footprints for AD. We consider the footprint of the AD command in the new model. 
In this model the sequential composition new[i]; dispose [x] gives the function 

{ti • xh! • F | I G F} h = ti »x^vF 

T otherwise 

The smallest safe states are given by the set {x i— > v • F \ v G Val, F G V(L)}. By lemma l4~4l 
these smallest safe states are footprints. However, unlike before, in this model these are the only 
footprints of the AD command. To see this, consider a larger state h • x i— > v • F for non-empty h. 
We have 

AD{h»x^vF) = {h»x^UF \ I G F} 

= {h} * {x^-l • F \ leF} 
= {h} * AD(x^v • F) 
Since the local limit LadQi • x i— > v • F) C {/i} * AD(x ^ v • F) by definition, we have by 
proposition 14.21 that Ljix){h • x i— > f • F) = AD(h • x i— > u • F), and so/i«xi— >t>«Fis not a 
footprint of AD. 

Thus the footprints of AD in this model do not include any non-empty heaps. By corollary 15.61 
in this model the AD command has a smallest complete specification in which the pre-condition 
only describes the empty heap. This specification is 

{({x^vF},{x^l*F}) | v G Val,F G V(L)J G F} 

Intuitively, it says that if initially the heap is empty, the variable x is present in the stack, and we 
know which cells are free in the global heap, then after the execution, the heap will still be empty, 
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[cj <E LocFunc [skipj (cr) = {a} 
[Ci; C 2 ] = [dj; [C 2 ] [Ci + C 2 ] = [d] U [<7 2 ] [C*] = U JC n j 

Figure 2: Denotational semantics for the imperative programming language 

exactly the same cells will still be free, and x will point to one of those free cells. This completely 
describes the behaviour of the command for all larger states using the frame rule. For example, we 
get the complete specification on the larger state in which 42 is allocated: 

{({42^ w} * {x^v • F},{A2^w} *{x^UF}) \ v,w G Val, F G V(L),l G F} 

In the pre-condition, the presence of location 42 in the heap means that 42 is not in the free set 
F (by definition of *). Therefore, in the post-condition, x cannot point to 42. 

Notice that in order to check that we have 'regained' safety footprints, we only needed to check 
that the footprint definition (definition @3]> corresponds to the smallest safe states. The desired prop- 
erties such as essentiality, sufficiency, and small specifications then follow by the results established 
in previous sections. 

6.3. Safety footprints for arbitrary programs. Now that we have regained the safety footprints 
for AD in the new model, we want to know if this is generally the case for any program. We consider 
the abstract imperative programming language given in O : 

C ::= c | skip | C;C \ C + C \ C* 

where c ranges over an arbitrary collection of primitive commands, + is nondeterministic choice, ; 
is sequential composition, and (■)* is Kleene-star (iterated ;). As discussed in |9), conditionals and 
while loops can be encoded using + and (•)* and assume statements. The denotational semantics of 
commands is given in Figure [2 

Taking the primitive commands to be new[x], dispose[x], mutate[x, v], and lookup[x, y], our 
original aim was to show that, for every command C, the footprints of [C] in the new model are 
the smallest safe states. However, in attempting to do this, we identified a general condition on 
primitive commands under which the result holds for arbitrary separation algebras. 

Let / be a local function on a separation algebra S. If, for A G 'P(S), we define f(A) = 
j | /(c), then the locality condition (definition 12.61 ) can be restated as 

ctGA 

W, a G S. f({a'} * {a}) C {*'} * /(W) 

The C ordering in this definition allows local functions to be more deterministic on larger states. 
This sensitivity of determinism to larger states is apparant in the AD command in the standard model 
from example [2781 2. On the empty heap, the command produces an empty heap, and reassigns vari- 
able x to any value, while on the singleton cell 1, it disallows the possibility that x = 1 afterwards. 
In the new model, the AD command does not have this sensitivity of determinism in the output 
states. In this case, the presence or absence of the cell 1 does not affect the outcomes of the AD 
command, since the command can only assign x to a value chosen from the free set, which does not 
change no matter what additional cells may be framed in. With this observation, we consider the 
general class of local functions in which this sensitivity of determinism is not present. 
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Definition 6.3 (Determinism Constancy). Let / be a local function and safe(f) the set of states on 
which / does not fault. / has the determinism constancy property iff, for every a G safe(f), 



Notice that the determinism constancy property by itself implies that the function is local, and 
it can therefore be thought of as a form of 'strong locality'. Firstly, we find that local functions that 
have determinism constancy always have footprints given by the smallest safe states. 

Lemma 6.4. If a local function f has determinism constancy then its footprints are the smallest 
safe states. 

Proof. Let min(f) be the smallest safe states of /. These are footprints by lemma l4~4l For any 
larger state a' • a where a G min(f), a' G E and a is non-empty, we have 



Since Lf(a' • a) C {a 1 } * f(o~), by proposition 14.21 we have that Lf(a' • a) = f(a' • a), and so 



We now demonstrate that the determinism constancy property is preserved by all the constructs 
of our programming language. This implies that if all the primitive commands of the programming 
language have determinism constancy, then the footprints of every program are the smallest safe 
states. 

Theorem 6.5. If all the primitive commands of the programming language have determinism con- 
stancy, then the footprint of every program is given by the smallest safe states. 

Proof. Assuming all primitive commands have determinism constancy, we shall show by induction 
that every composite command has determinism constancy and the result follows by lemma 16.41 
So for commands C\ and C2, let / = [Ci] and g = [C 2 ] and assume / and g have determinism 
constancy. For sequential composition we have, for a G safe(f; g) and a' G E, 



W G E. f({a'} * {a}) = {a'} * f({a}) 



/^'•a) = f({a / }*{a}) = {a / }*f(a) 



a' • a is not a footprint of /. 



□ 




<ne/(<r) 



U 9(W}*{*l}) 




{a'}*(f;g)(a) 
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For non-deterministic choice, we have for a G safe(f + g) and a' G E, 

(/ + <?)({</} *M) 
= /(H*W)u fl (M*W) 

= W} * fiW}) L- 1 I "'} * 9{{ a }) (/ and (7 have determinism constancy and 

a G safe(f) and c G safe(g) since c G safe(f + g)) 

= W*(/(M)LI^({<t})) (distributivity) 

= M*(/ + 0)(M) 
For Kleene-star, we have for a G safe(f*) and a' G E, 

= U/ n (Rr*M) 

n 

= | \{cr'} * / n ({c}) (determinism constancy preserved under sequential composition and 

a G safe(f n )) 
= W'}*[_\f n (.W}) (distributivity) 

n 

= M *(/*)({*}) □ 

Now that we have shown the general result, it remains to check that all the primitive commands in 
the new model of section loTTl do have determinism constancy. 

Proposition 6.6. Let Hi be the stack and heap model of example \2.8\ 2 and Hi he the alternative 
model of section I6.il The commands new\x\ mutate[x, v] and lookup[x, y] all have determinism 
constancy in both models. The dispose [x] command has determinism constancy in H2 but not in 
Hl 

Proof. We give the proofs for the new and dispose commands in the two models, and the cases for 
mutate and lookup can be checked in a similar way. For dispose [x] in Hi, the following counterex- 
ample shows that it does not have determinism constancy. 

dispose[x]({l^v} * {xi— >l • It— >w}) 
= dispose[x\{$) 
= 

C {Zi— >v • xh- »Z} 

= {l\-^>v} * dispose[x](xt— >l • l\— > w) 

For neu>[x] in Hi, any safe state is of the form h • xt— >v. For any h! G H\, we have 

{h!} * new[x](h • x^>v) = {h'} * {h • x\—>l • l\—>-w \ w G Val, I G L\loc(h)} (f) 

If b! • h»x 1— > v is undefined then /i' shares locations with loc(h) or variables with var(h) U {2}. 
This means that the RHS in f is the empty set. We have new[x]({h'} * {h»x^v}) = new[x}{%) = 



FOOTPRINTS IN LOCAL REASONING 



25 



= {ti} * new[x](h • xt—>v). If ti • h • xi— >i> is defined, then 

new[x]({h'} * {h • xt— >v}) 
= nei«[2;](/i' • /i • x*—>v) 

= {h! • h • xi— >Z • It-^w | iu € VaZ, Z G L\loc(h' • /i)} 
= {/t'} * {/i • XI— >l • Zh- >to | w e Val, I E L\loc(ti • Zi)} 
= {/t'} * {/i • xi— >Z • Zh- >u> [ to G VaZ, Z G L\loc{ti)} 
= {h'} * neiv[x](h • xt— *v) 

For cfopose[x] in i?2, any safe state is of the form /i • x i— >l • It— >v • F. Let /i' G i?2- We have 

{/i'} * dispose[x](/i • x^l»l^v F) = {ti} *{h» x^l • F U {Z}} (tf) 

If h' • h»xt— >Z«Zi— > u • F is undefined then either /i' contains a free set or it contains locations 
in loc(h) U {Z} or variables in var(h) U {x}. If h' contains a free set or it contains locations in 
loc(h) or variables in var{h) U {x}, then the RHS in ft is the empty set. If ti contains the location 
Z then also the RHS in ft is the empty set since the free set F U {1} also contains Z. Thus in both 
cases the RHS in ff is the empty set, and we have dispose[x]({h'} * {h»xt— >l»lt— >v • F}) = = 
{ti} * dispose[x](h • xi— >Z • Zi— >v • F). 

If ti • h • xt— > Z • Z i— >v • F is defined then we have 

dispose[x]({h'} * {h • xi— >Z • It— >v • F}) 
= dispose [x] (/i' • /t • xi— >Z • Zi— >i; • F) 
= {ti • h» x^l • FU {I}} 
= {ti}*{h*x^l»FU{l}} 
= {ti} * dispose[x](h • xi— >Z • Zi— >t> • F) 

For new[x] in H2, any safe state is of the form h • xt-^v F. Let ti E Hi- We have 
{ti} * new[x](h • x^v • F) = {ti} * {h • x^l • l^->w • F\{1} \ w G Val, I G F} (fff) 

If ti • h • x h- ► i> • F is undefined then either Zi' contains a free set or it contains locations in 
loc(h) or variables in var{h) U {x}. In all these cases the RHS in fff is the empty set, and so we 
have new[x]({h'} * {h • xi— >v • F}) = = {ti} * neuj[x](/t »xi— >v • F). 
If /i' • h • x h- * v • F is defined then we have 

new[x]({h'} * {h • xt-^v • F}) 
= new[x](ti • Zi • x 1— > v • F) 

= {ti •h»xt-+l»lt-+wF\{l} \w EVal,l E F} 
= {ti} * {h • imI • l^w • F\{1} \ w G Val, I G F} 
= {ti} * new[x](h • xt-^»v • F) 

□ 

Thus theorem 16.51 and proposition 16.61 tell us that using the alternative model of example 16.11 
the footprint of every program is given by the smallest safe states, and hence we have regained 
safety footprints for all programs. In fact, the same is true for the original model of example [2.81 2 
if we do not include the dispose command as a primitive command, since all the other primitive 
commands have determinism constancy. This, for example, would be the case when modelling a 
garbage collected language [16]. 
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7. Conclusions 

We have developed a general theory of footprints in the abstract setting of local functions 
that act on separation algebras. Although central and intuitive concepts in local reasoning, the 
notion of footprints and small specifications had evaded a formal general treatment until now. The 
main obstacle was presented by the AD problem, which demonstrated the inadequacy of the safety 
footprint notion in yielding complete specifications. In addressing this issue, we first investigated the 
notion of footprint which does not suffer from this inadequacy. Based on an analysis of the definition 
of locality, we introduced the definition of the footprint of a local function, and demonstrated that, 
according to this definition, the footprints are the only essential elements necessary to obtain a 
complete specification of the function. For well-founded resource models, we showed that the 
footprints are also sufficient, and we also presented results for non-well-founded models. 

Having established the footprint definition, we then explored the conditions under which the 
safety footprint does correspond to the actual footprint. We introduced an alternative heap model in 
which safety footprints are regained for every program, including AD. We also presented a general 
condition on local functions in arbitrary models under which safety footprints are regained, and 
showed that if this condition is met by all the primitive commands of the programming language, 
then safety footprints are regained for every program. The theory of footprints has proven very 
useful in exploring the situations in which safety footprints could be regained, as one only needs to 
check that the smallest safe states correspond to the footprint definition 03] This automatically gives 
the required properties such as essentiality and sufficiency, which, without the footprint definition 
and theorems, would need to be explicitly checked in the different cases. 

Finally, we comment on some related work. The discussion in this paper has been based on 
the static notion of footprints as states of the resource on which a program acts. A different notion 
of footprint has recently been described in iflOl . where footprints are viewed as traces of execution 
of a computation. O'Hearn has described how the AD problem is avoided in this more elaborate 
semantics, as the allocation of cells in an execution prevents the framing of those cells. Interestingly, 
however, the heap model from example 16.11 illustrates that it is not essential to move to this more 
elaborate setting and incorporate dynamic, execution-specific information into the footprint in order 
to resolve the AD problem. Instead, with the explicit representation of free cells in states, one can 
remain in an extensional semantics and have a purely static, resource-based (rather than execution- 
based) view of footprints. 
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